Of course, if somebody’s going to feed someone who doesn’t know better malicious commands, they can always just have the victim toggle the –no-preserve-root flag. It’s hardly secret, black magic. It’s right in the man page.